Implement SSL certificate on an EC2 instance for a domain

1. Get an SSL Certificate

There are several ways to obtain an SSL certificate. For simplicity, let's use Let’s Encrypt, a free SSL certificate provider.

Option 1: Use Let’s Encrypt (via Certbot)

• Install Certbot on your EC2 instance (assuming you’re using a Linux-based instance, e.g., Ubuntu).

  Install Certbot:

  sudo apt update
  sudo apt install certbot
  sudo apt install python3-certbot-apache  # For Apache or python3-certbot-nginx for Nginx
  

• Obtain and install the SSL certificate using Certbot: Run the following command, replacing your-domain.com with your actual domain name:

  sudo certbot --apache -d your-domain.com -d www.your-domain.com
  

  Certbot will automatically configure the SSL certificate with your Apache or Nginx server and renew the certificate automatically.

  If you're using Nginx, replace --apache with --nginx.

Option 2: Use AWS ACM (for Elastic Load Balancer)

If you use AWS services like Elastic Load Balancer (ELB), you can request an SSL certificate through AWS Certificate Manager (ACM).

• Request a Certificate:
  1. Open the AWS Management Console.
  2. Go to AWS Certificate Manager.
  3. Click Request a certificate, choose Public Certificate, and follow the prompts.
  4. Validate the domain ownership using DNS or Email validation.
• After validation, you’ll get the SSL certificate and its details. You can then use it with an Elastic Load Balancer or CloudFront distribution.

2. Install the SSL Certificate on Your EC2 Instance

If you use a certificate from Let’s Encrypt, it is typically stored in the /etc/letsencrypt/live/your-domain.com/ directory.

To configure your web server:

For Apache:

• Enable SSL module (if it’s not already enabled):

  sudo a2enmod ssl
  

• Edit the Apache SSL configuration file:

  sudo nano /etc/apache2/sites-available/default-ssl.conf
  

• Update the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile directives with the paths to the SSL certificate files from Let’s Encrypt:

  SSLCertificateFile /etc/letsencrypt/live/your-domain.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
  

• Enable the SSL site:

  sudo a2ensite default-ssl.conf
  sudo systemctl reload apache2
  

For Nginx:

• Open the Nginx configuration file for your site:

  sudo nano /etc/nginx/sites-available/your-domain.com
  

• Update the ssl_certificate and ssl_certificate_key with the correct paths:

  
  server {
    listen 443 ssl;
    server_name your-domain.com www.your-domain.com;
  
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
    
    # Other Nginx configuration
  }
  

• Reload Nginx:

  sudo nginx -t   # Check configuration
  sudo systemctl reload nginx
  

3. Redirect HTTP to HTTPS

It’s a good practice to redirect all HTTP traffic to HTTPS to ensure secure communication.

For Apache:

• Edit the Apache configuration file or .htaccess file:

  sudo nano /var/www/html/.htaccess
  

• Add the following lines to redirect HTTP to HTTPS:

  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  

For Nginx:

• Add the following server block to your Nginx config to handle the redirection:

  server {
    listen 80;
    server_name your-domain.com www.your-domain.com;
    return 301 https://$server_name$request_uri;
  }
  

4. Test Your SSL Certificate

Once everything is set up, test your site using a browser or an SSL checker tool to confirm that the SSL certificate is working correctly.

Visit your site in a browser and ensure the padlock icon appears in the address bar (indicating HTTPS is active).

You can also use tools like SSL Labs' SSL Test to check the details and security of your SSL implementation.

5. Automate Certificate Renewal

Let’s Encrypt certificates need to be renewed every 90 days. Certbot can automate this process.

• To set up automatic renewal for Certbot, add a cron job:

  sudo crontab -e
  

• Add the following line to automatically renew the certificate:

  0 0,12 * * * certbot renew --quiet && systemctl reload apache2   # for Apache
  # or
  0 0,12 * * * certbot renew --quiet && systemctl reload nginx    # for Nginx
  

This cron job will check for certificate expiration twice a day and renew it if necessary.